If the implementation of a freshly launched patch is not released to those online platforms which take advantage of the WordPress SEO Plugin (versions 220.127.116.11, or older), in order to fully optimize search engine data, the likelihood of them being attached by outside forces is increased.
How To Handle SQL Injection Weaknesses
This WordPress SEO plugin by Yoast offers users a wealth of valuable features, tools, and services. However, it also appears to be plagued by an SQL injection weakness, which can sometimes be referred to as a ’blind SQL weakness.’
The system was recently evaluated by security specialist Ryan Dewhurst, who is responsible for the discovery of the weakness.
This security flaw allows invaders to gain a certain level of control over a website database, and then give themselves administrative rights over the system. It can cause serious problems, and result in the loss or theft of sensitive information.
Helping Invaders Create Chaos
If an invader wishes to take advantage of this SQL injection weakness, they first need to gain some degree of system credibility. According to Dewhurst, due to the fact that cross-platform request invasion security is either very rare, or not very effective, hackers are able to fool a user who does have the right credentials.
This user could be an author, an editor, a manager, or a website supervisor. The invader must somehow drive them to either visit a dangerous webpage, or interact with a malicious link. Then, the doors are open for the invader to wreak havoc within the system.
Dealing with a CSRF Invasion
For the uninitiated or inexperienced, it is important to quickly learn that a CSRF invasion is defined by an attack which prompts a browser to carry out unwanted processes, on third party platforms. The vast majority of the time, this has been allowed to occur because a user has unwittingly visited a malicious website established by the invader, and designed to illegally gain access to a system.
Spotting the Problem
Yoast has now addressed some of these issues, and has reportedly made it impossible for a CSRF invasion to occur, and remain undetected. In other words, it has put robust processes in place for dealing with this kind of attack.
This week, Yoast released a public statement on its effort to reduce security concerns, and announced details of the WordPress SEO Plugin version 1.7.4, and the 1.5.3 variation of the WordPress commercial range. It is believed that all affected systems have been thoroughly investigated for weaknesses, and strengthened all across the board.
What did Yoast actually change?
According to a statement from Yoast, the basic explanation for those who are not very experienced pertains to the fact that these changes will prevent authenticated users from being taken advantage of by sneak hackers, who only want to direct them to dangerous websites, in order to steal their access data.
A Community Issue
Furthermore, it issued an apology for taking so long to detect and repair the weakness, after recognizing that no matter the reason why the security flaw was missed, thousands of users were put at risk. Interestingly, it also chose to thank Dewhurst for bringing the problem to their attention, and for allowing them to create a fix before alerting users to the dangers.
See also: Essential Tips for Becoming a Hacker
This just goes to show that, where online security is concerned, there is no room for selfish actions. Whilst Dewhurst could have publicly released details of the failing, and scored himself some points for spotting it in the process, it would not have benefited him in the long run - online security is a community issue, and it has always been handled by the community.